NGINX making external connections as nobody

Intekhab

• January 13, 2022 10:54

CSF is informing me of NGINX making external connections. The process is running as nobody. Account: nobody Uptime: 33945 seconds Executable: /usr/sbin/nginx Command Line (often faked in exploits): nginx: worker process Network connections by the process (if any): tcp: xx.xx.xx.xx:80 -> 213.226.121.9:55216 tcp: xx.xx.xx.xx:80 -> 185.119.81.101:53414 tcp: xx.xx.xx.xx:80 -> 185.119.81.101:55108 tcp: xx.xx.xx.xx:443 -> 66.249.70.129:42195 tcp:xx.xx.xx.xx:443 -> 66.249.70.132:45738 (these are examples from different notifications, its usually one at a time, not many connections at a time) The IP here is one of the ips installed on the server. It's not the main server IP. Nor is an IP I am hosting any site on. As it is showing user as nobody, any way to track what is actually causing this connection?

• 

  cPanelAnthony

  • January 13, 2022 17:26

  Hello! "Nobody" is the Apache user. In all likeliness, CSF is erroneously flagging legitimate nginx processes as "suspicious" which can happen. From this notification, I am fairly confident in saying this is a common false positive we see with CSF firewall.

  0
• 

  Intekhab

  • January 14, 2022 15:46

  Is it actually okay for nginx to make external connections? Specially from a server IP which is neither server main IP, nor serving any domain? After I blocked that IP with CSF Deny Server IPs, this is now happening with another IP assigned to the server which is again not the main server IP. Anyway to track which app is triggering it?

  0
• 

  cPanelAnthony

  • January 19, 2022 21:48

  Hello again! I will have to check regarding nginx specifically. However, you could use "top" to locate this nginx process. You could then press "c" on your keyboard to get more useful information. While you aren't having load issues, this might help.

  0

Please sign in to leave a comment.